exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Confluence Wiki 4.1.4 Cross Site Scripting

Confluence Wiki 4.1.4 Cross Site Scripting
Posted Sep 15, 2012
Authored by INTREST SEC

Confluence Wiki versions 3.5.9, 4.0.3, and 4.1.4 suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 9bcf399a2e8ea5531b3605b2128bf6b02fa2c55f7a7dea89f867a811b06a28d7

Confluence Wiki 4.1.4 Cross Site Scripting

Change Mirror Download
-------------------------------
INTREST SEC | Security Advisory
-------------------------------


Product: Confluence Wiki
Vendor: Atlassian (www.atlassian.com)
Vulnerability Type: Cross Site Scripting (XSS)
Risk Level: High (classified by vendor)
Discovered by: INTREST SEC - NID
Public Diclosure: 2012/09/12
Vendor Notification: 2012/02/07
Tested Versions: 3.5.9, 4.0.3, 4.1.4
CVSS Score: 7.5


## Details

Atlassian Confluence is described as "Collaboration tool for teams to
create, share, and discuss rich content - docs, files, ideas, specs,
diagrams, mockups, anything". (www.atlassian.com)


## Description

A security vulnerability within Atlassian Confluence Wiki has been
identified. It is remotely exploitable and based on the CWE-79 family
Cross-Site-Scripting (XSS). Confluence allows input passed in the URL to
be injected into the HTML structure of an error-page in an unsafe and
unsanitized way. Therefore it is possible to inject nonpersistent
JavasScript code. This vulnerability does not require authentication of
the victim and can easily be exploited by manipulating the GET request.


## Proof of Concept

The following URL triggers the XSS by including <IFRAME
SRC="javascript:alert('XSS')"> into the error page:

http://localhost:8090/pages/includes/
status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm


## Solution

According to the vendor, upgrade to Confluence 4.1.9 or later.


## References

[1] Atlassian Security Advisory
https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11


## Time Table

[2012/02/07] Informed vendor about the vulnerability via ticketing system
[2012/02/08] Informed vendor that Atlassian JIRA (at least 4.4.3 and
4.4.4) is also infected
[2012/02/09] Vendor created a ticket for JIRA vulnerability
[2012/02/09] Vendor response: JIRA problem already known. "The fix
should be available in JIRA 5.0 or 5.0.1"
[2012/03/21] Vendor tagged ticket as fixed.
[2012/04/02] Asked vendor about things like patch release date,
requesting a CVE number, releasing an advisory
[2012/04/03] Vendor response: No dedicated Patch; Version 4.1.9 has been
released; no CVE will requested by vendor
[2012/08/27] Vendor defined advisory release date to 2012/09/11
[2012/08/27] Informed vendor about additional advisory release through
INTREST SEC
[2012/09/11] Vendor released advisory
[2012/09/13] INTREST SEC released advisory


--

INTREST SEC
Intelligent Information Security
-----------------------------------------------------------------------
Kommunalstrasse 15 - A-4020 Linz - Austria
Tel. +43 (0) 732 / 341 060
Fax. +43 (0) 732 / 341 060 - 20
researchlab [at] intrest.at | www.intrest-sec.com
-----------------------------------------------------------------------






Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close